Key

This line was added.

This line was removed.

Formatting was changed.

...

The //NOSONAR tag is useful to deactivate all rules at a given line but is not suitable to deactivate all rules (or only a given rule) for all the lines of a method or a class. This is why support for @SuppressWarnings("all") has been added to Sonar.

Maven analysis

What is the difference between org.codehaus.mojo:sonar-maven-plugin and org.codehaus.sonar:sonar-maven-plugin?

Here is the rational: Sonar needs a Maven plugin to perform analysis of your project. This plugin is part of Sonar project so the name of this plugin is org.codehaus.sonar:sonar-maven-plugin because codehaus is hosting the project. Each time there is a new version of Sonar, there is a new version of the Sonar plugin. For a given version of the Sonar server, you MUST run the same version of the Sonar Maven plugin. It means that you would have to run

BUT in this case the latest version of the Sonar plugin would be taken. As soon as Sonar 2.6 would be released, Maven would automatically use the plugin in version 2.6. If you don't plan to upgrade your Sonar server, it will fail. The answer to this problem is already well-known: define all versions of your plugins in the pom. So you would add:

in all pom (or in corporate pom). And you would have to update your projects each time you are updating sonar server. Very annoying but that's not all. What if you have an integration/acceptance/pre-production instance of Sonar in version 2.5, and a production version in version 2.4? You can't analyse the same project with the two instances because you have fixed the version of the sonar plugin to version 2.5 in the pom. You may finally make it works with external properties or any other ugly hack.

The solution proposed by Sonar team is to use a bootstrap plugin. This plugin:

is hosted in org.codehaus.mojo groupId in order to save the settings.xml configuration

is supposed to be very stable (ie do not change for each Sonar server release)

When you run

Code Block

mvn sonar:sonar

Maven understands:

Code Block

mvn org.codehaus.mojo:sonar-maven-plugin:LATEST:sonar

. The bootstrap plugin will query Sonar server to find its version, then fork a new build to run the normal plugin with

Code Block

mvn org.codehaus.sonar:sonar:maven-plugin:XX:sonar

where XX is the version previously returned by the server. This way you can analyse the same project with different versions of Sonar and still running the same command line (except Sonar hostname of course) and without having to modify the pom.

Most of the time you need latest version of the boostrap plugin, so no need to fix its version in your pom, except if you want to test a particular version (an old one or a SNAPSHOT for example).

This issue occurs when using a Sonar version prior to 2.2. To fix it, it's recommended to upgrade Sonar and the maven plugin to version 1.0-beta-2 (for Maven 2 projects) or 2.0-beta-2 (for Maven 3 projects).

Sonar embeds its own maven repository which is used by the Sonar maven plugin to download all Sonar extensions like pmd, checkstyle, findbugs, etc. If you get this error, it's certainly because your Maven configuration prevents Sonar from accessing its own Maven repository. Your maven settings.xml file must certainly contain a section called <mirror> which should look like this :

According to this section, Maven redirects all calls to the repository called 'nexus', so Sonar maven repository is never touched and Sonar maven plugin fails to resolve org.codehaus.sonar.runtime.* dependencies. Two solutions to solve this issue:

If you have Maven version 2.0.9 or higher, just change the value of <mirrorOf> by

The plugin 'org.apache.maven.plugins:maven-sonar-plugin' does not exist or no valid version could be found

If you get this error message after launching the maven command line "mvn sonar:sonar" add the "-U" parameter to the command line. Maven will then update its local repository with the latest version of the Sonar Maven plugin.

If adding the "-U" parameter doesn't fix your issue, you've certainly encountered Maven bug MNG-4001. The only known workaround is to delete the org\codehaus\mojo directory in your local Maven repository. Of course, if your local Maven repository is synchronized with a repository manager like Nexus, this operation must be also done on the repository manager side.

Maven fails with an OutOfMemoryError

Increase the maven available memory by setting the environment variable :

Code Block

MAVEN_OPTS="-Xmx512m -XX:MaxPermSize=256m"

Maven fails with a SecurityException

The message of the root exception is

Code Block

class "org.sonar.commons.database.SchemaInfo$$EnhancerByCGLIB$$15d095d4"'s signer information does not match
signer information of other classes in the same package

The CGLIB library available in your Maven repository is certainly signed which is not the case on IBIBLIO repository. Perhaps you or your Maven administrator have signed this jar to include it into a Java Web Start application. Unfortunately signing CGLIB jar file breaks Hibernate's use of CGLIB, as it generates proxy classes in the same package (org.sonar.commons.database.* for our context) as the original class. But the original Sonar class is not signed and the new proxy class is, generating a java.lang.SecurityException.

You must also sign Sonar libraries in your Maven repository or used unsigned CGLIB library.

Findbugs fails on timeout

Add the findbugs-maven-plugin to the plugins section of the pom and configure the parameter "timeout".

0% code coverage reported whereas unit tests are correctly executed

This problem occurs when using the Maven Cobertura Plugin and a special configuration of the Maven Surefire Plugin preventing unit tests to be forked. This problem can be solved by removing the line "<forkMode>never</forkMode>" in the Maven configuration file (see SONAR-1445 and MCOBERTURA-70).

My project only builds with JDK1.4

As Sonar can only run with JDK1.5 or higher, some configuration should be added to the pom.xml to indicate that the project requires JDK1.4: